[OpenAFS] PAGs aklog and PAM

Charles Clancy mgrtcc@cs.rose-hulman.edu
Tue, 12 Jun 2001 10:38:04 -0500 (EST) 

On 12 Jun 2001, Sam Hartman wrote:

> >>>>> "Charles" == Charles Clancy <mgrtcc@cs.rose-hulman.edu> writes:
>
>     Charles> Looking at the pam_openafs_session PAM module, I don't
>     Charles> see how it could work.  As I understand it, it does the
>     Charles> following: 1. fork 2. setuid (user logging in) 3. exec
>     Charles> aklog -setpag
>
> So, I'm certainly not seeing that behavior with openssh and
> libpam-openafs-session.  I suspect that it has to do with who is the
> session leader/process group leader and possibly with the OS involved.

Sparc Solaris 8 64-bit, OpenAFS 1.0.4.

> The -setpag argument to aklog is a hack.

In looking at the aklog source, it looks like its PAG code used to do a
setpag(), but now ktc_SetToken() takes care of that:

from aklog_main.c:
    /*
     * The code that _used_ to be here called setpag().  When you think
     * about this, doing this makes no sense!  setpag() allocates a PAG
     * only for the current process, so the token installed would have
     * not be usable in the parent!  Since ktc_SetToken() now takes a
     * 4th argument to control whether or not we're going to allocate
     * a PAG (and since when you do it _that_ way, it modifies the cred
     * structure of your parent)), why don't we use that instead?
     */

Does anyone have any comments on ktc_SetToken()?  Would it be better to
use that, instead of setpag()?

> You could link against AFS libraries and set up the pag yourself ...

and I have, just staticly

> ... if shared libraries were available,

Why aren't they?  Is there an option to generate them at compile time?  I
remember having the same problem with Kerberos not generating them by
default.  I've been using the binaries from the website because I don't
have Sun's compiler.

> but linking static libs into a PAM module is an even bigger
> hack.

Hmm... is there an alternative?
_______________________________________________________
      Charles Clancy -- mgrtcc@cs.rose-hulman.edu
Senior UNIX Administrator, Rose-Hulman Computer Science